CryptoLocker
|date = September 5th, 2013|md5 = bc11c93f1b6dc74bf4804a35b34d9267|subtype = |creator = lucky12345 (Evgeniy Bogachev)|size = 692 KB|sha1 = a18c25ed1282f56225d21c6460ffaaf16ae0d965|origin = Russia|cost = $30 Million|fsize = 692 KB (708,608 Bytes)|sha256 = a2bc3059283d7cc7bc574ce32cb6b8bfd27e02ac3810a21bd3a9b84c17f18a72|authenti = 161bdc5d6bd9d09f4e61895ba74b961e1b67eca8fa03fb2e722bfa6ec811a17c|imp = 68c337209ef4ccc294358557605e4a2f|ssdeep = 12288:GebREpUV8gO1Axt4Kkp7vSCfnuf9Ooj0N:ZbepUV8gOit4KW79aOoQ|vh = 075046656d651az3f!z|family = CryptoLocker}} CryptoLocker is a popular ransomware trojan on Microsoft Windows that can spread via email and is considered one of the first ransomware malware. The .EXE file for CryptoLocker arrives in a ZIP file attached to an email message contains an executable file with the filename and the icon disguised as a PDF, taking advantage of Windows' default behavior of hiding the extension from file names to disguise the EXE file extension for the program. Payload Transmission This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from FedEx, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them. When CryptoLocker was first released, it was being distributed by itself. Newer malware attachments appear to be Zbot infections that then install the CryptoLocker infection. The user would know they are infected with Zbot as there will be a registry key in the form of: HKCU\Software\Microsoft\ Under these keys, the user will see Value names with data that appears to be garbage data (encrypted info). The droppers will also be found in the %Temp% folder and the main executable will be stored in a random folder under %AppData%. Last but not least, a startup will be created under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to launch it. An example Zbot/CryptoLocker email message is: -----Original Message----- From: John Doe mailto:John@mydomain.com Sent: Tuesday, October 15, 2013 10:34 AM To: Jane Doe Subject: Annual Form - Authorization to Use Privately Owned Vehicle on State Business All employees need to have on file this form STD 261 (attached). The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement. The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor. Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file. Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim. Infection CryptoLocker's payload encrypts the victim's files using a method of encryption that is quite difficult to crack or decrypt (RSA-2048) and refuses to unlock the files until the ransom of 500 units of currency ($500, €500, £500, etc.) are paid. However, people who paid the ransom never had their files decrypted. It gives about 72 hours for the user to pay the ransom, and if this is not done, then the program deletes the decryption code (preventing any recovery of data). When the user first become infected with CryptoLocker, it will save itself as a randomly named filename to the root of the %AppData% or %LocalAppData% path. It will then create one of the following autostart entries in the registry to start CryptoLocker when the user logs in: KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker" KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker_" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker_